python-2.7magentooauthprivilegesmagento-rest-api

Magento REST API, User given admin role but only granted Guest access

I'm writing an app in python that accesses a Magento server using OAuth/REST etc.

The OAuth authentication has been completed, I have the two consumer tokens & the 2 access tokens. Within Magento itself I've followed the configuration steps outlined in numerous blogs - setting up the REST Roles, Attributes & Consumers, and the User Permissions & Roles. I've been over it 500 times (it feels that way!) and can't see any errors, the user's using the REST consumer which has authorized tokens, the user's role is Administrator, so on & so forth.

I noticed something was wrong when, after completing the OAuth process, I tried to post a product to Magento (its database is empty) and received a 403 Access Denied. A Get attempt received the same. I enabled REST API access for Guest, and now the Get receives an empty json array and of course the Post still has the 403 - this tells me that Magento isn't looking at the OAuth tokens and logging me in.

It seems that Magento is refusing to accept the consumer/access tokens that it generated during the OAuth authentication process.

Is there a configuration step I've missed, or any info at all that'll provide a way past this roadblock?

Edit: Code snippet added below showing the method I'm using to query Magento:-

from rauth.session import OAuth1Session
session = OAuth1Session(consumer_key, consumer_secret, access_key, access_secret)
headers = {'Content-Type': 'application/json', 'Accept': 'application/json'}
r = session.get('http://mysite.com/api/rest/products', headers=headers)
print r.json()

Outputs: {u'messages': {u'error': [{u'message': u'Access denied', u'code': 403}]}}

Solution

  • I was unable to find a solution using the rauth library as shown in the example above, but was able to get it working using oauthlib/requests_oauthlib as follows:-

    from requests_oauthlib import OAuth1 as OAuth
import requests
oauth = OAuth(client_key=consumer_key, client_secret=consumer_secret, resource_owner_key=access_key, resource_owner_secret=access_secret)
h = {'Content-Type': 'application/json', 'Accept': 'application/json'}
r = requests.get(url='http://mysite.com/api/rest/products', headers=h, auth=oauth)
print r
print r.content

    print r produces "< Response [200] >", and r.content contains the json-formatted list of products.

    I'm surmising that rauth was incorrectly calculating the nonce value or perhaps the encoding was off - something in the request it produced was upsetting Magento, which was therefore refusing to grant access.